Add Security page to www.openjsf.org

[ruddermann]

A security policy page is required to run a CNA, which is different than the page that lists security advisories themselves. This page will be static and change infrequently, thus why it’s hosted on the openjsf.org CMS. This page will list the CNA’s security policy and links for how to disclose to specific projects.

• https://openjsf.org/security should have a webpage that uses the same template as https://openjsf.org/privacy
• A “Security” link should be added under Privacy in the Legal column of the openjsf.org footer template.
• The content of this webpage can be found in the “OpenJS CNA Disclosure Policy” Section of the OpenJS CNA Application doc.

[ruddermann]

@bensternthal @kyliewd I made some updates to this ticket to clarify next steps. Please lmk if you have any questions!

[bensternthal]

@ruddermann Kylie is on parental leave. I think I will be the one creating this page.

[bensternthal]

@ruddermann below is a screenshot of the page, it was hard for me to understand what content in the google doc was appropriate to please let me know of any corrections. Note there are some missing links including:

• https://cve.openjsf.org
• The blog post

Shall we just comment those out so we can publish the page?

[adamruddermann]

Hey @bensternthal - this looks good! I've made a couple of changes to the copy in the screenshot for right now that we can update later. So use this instead and we should be g2g:

"To help enable effective coordinated vulnerability disclosure, the OpenJS Foundation operates a CVE Numbering Authority (CNA) for its hosted Incubating, At Large, Impact, and Emeritus projects. Our CNA’s root is the Red Hat Open Source Root CNA.

[bensternthal]

Done including the link in the footer.